On June 25, 2024, the State Bank of Vietnam (SBV) issued Document No. 5262/NHNN-CNTT providing guidance to the credit institutions, the foreign bank branches, and the payment intermediary service providers on the implementation of Decision 2345/QD-NHNN.
Accordingly, in order to implement Decision No. 2345/QD-NHNN on the measures to ensure the safety and security in online payments and bankcard payments, which takes effect from July 1, 2024, the SBV has provided guidance on some relevant contents for the implementation of Decision 2345 as follows:
- For customers who do not yet have chip-based ID cards, but only old ID cards (it is required to check the validity of these old ID cards in accordance with the laws), the authentication measure using biometric identification features of customers for the transactions of types C and D as specified in Article 1 of Decision 2345 shall be implemented by comparing with the biometric data stored in the collected and verified customer biometric database, in which the verification is performed by face-to-face methods. (The institutions shall instruct any customers in this category to register their biometric identification features directly at a transaction counter if they want to make online transactions valued over VND 10 million, or total daily transactions valued over VND 20 million).
For customers having chip-based ID cards but using mobile phones that do not support Near-Field Communication (NFC), the authentication measure using biometric identification features of customers for the transactions of types C and D as specified in Article 1 of Decision 2345 shall be implemented by:
(i) Matching the authentication of the customer's electronic identification account created by the electronic identification and authentication system (It is required to integrate Internet Banking and Mobile Banking applications into the electronic identification and authentication system to provide this service);
(ii) Or comparing with the biometric data stored in the collected and verified customer biometric database, in which the verification is performed as follows:
- Comparing the customer's biometric identification data with the biometric data stored in the chip of the customer's ID card issued by the competent public security agency, which must be performed at a transaction counter through a chip-based ID card reading device/phone;
- Or matching the customer's biometric identification data through the authentication of the customer's electronic identification account created by the electronic identification and authentication system.
Document No. 5262/NHNN-CNTT also states that, for the storage of information of customers’ devices (including computers using web browsers) used for transactions in accordance with Paragraph 3 of Article 2 of Decision 2345, it is only necessary to store the information for identifying and verifying the sole device for transactions. For other information as stipulated in Paragraph 3 of Article 2 of Decision 2345, it is not obliged to store all of the information.
Regarding the authentication for the deposit and withdrawal transactions from the e-wallets as specified in Appendix 01 of Decision 2345: For the deposit and withdrawal transactions from the e-wallets via payment accounts/debit cards, if the customer has been authenticated as the account owner by the bank when performing the connection using authentication measures for transactions of type B or higher (except for the authentication measures using biometric identification features attached to handheld smart devices), it is not required to apply the authentication measures for the deposit and withdrawal transactions from the e-wallets with limits: G ≤ VND 10 million and G + Tksth ≤ VND 20 million. For other transactions, it shall be implemented in compliance with Decision 2345.
In order to be ready for the implementation of Decision 2345 from July 1, 2024,the relevant entities are requested to implement the following tasks:
Organizing and implementing communication activities and providing guidance to all customers on the implementation of the authentication measures corresponding to transaction limits as prescribed in Decision 2345.
Preparing plans, hotline channels and arranging staff on duty 24/7 to promptly support customers to register and use biometric authentication services.
Proactively coordinating with the National Population Database Center, the Police Department for Administrative Management of Social Order, the Ministry of Public Security and other relevant organizations to prepare plans to address any difficulties and obstacles in the process of registering and using biometric authentication services from July 1, 2024.
Implementing technical solutions to ensure the information safety and security, as well as customers’ data, ensuring compliance with the legal regulations on personal data protection and the regulations on ensuring the safety and security of information systems.
During the implementation process, if there are arising difficulties or obstacles, the entities are requested to send reports to the SBV (the IT Department) via email: cntt8@sbv.gov.vn.
Le Hang